Windows Log File Archiving and Management

Windows Log Files contain the specific data for each event record published by the operating system and applications. When reliably collected and securely stored, these authentic files can be used to validate all event log activity. This is particularly important in rigorous forensic investigations of security related activities.

ELM Enterprise Manager has the tools to archive the Windows Log Files. In addition to providing a backup of the native event log files, ELM features real-time event log monitoring, alerting and scheduled reporting. With the log files securely stored in a file system and the event records available in an MS SQL Server database, ELM provides the best of both worlds.

Windows Log File Archiving

Here is how Windows log file archiving works. On a daily basis by default, the ELM Agent assigned Event File Collector will copy the files of the monitored system. If the storage location satisfies the free disk space requirement, the log files transferred to the designated location. In addition, as a test for file corruption or tampering, a MD5 hash can be created and stored with the log files.
With the potential for over 200 logs and the millions of events written each day, the storage requirements for the Windows Log Files can grow unexpectedly fast. To reduce this disk storage costs, ELM features several important tools:

Clearing Event Logs

“Clear Logs after collection” is a commonly used feature the Event File Collector. It deletes the selected logs after they have been securely archived. This prevents the storage bloat resulting from duplicate events.

File Compression

File compression can also yield large free disk savings. ELM provides an option for using the widely accepted GNU zip (gzip) compression algorithm. It is not unusual to achieve a 90% compression ratio.

Log File Selection

Although there can be hundreds of event logs, many are often empty or include only low value events records. ELM includes the ability to select which event logs should be archived, and which ones can be ignored.

Event Log Monitoring, Alerting and Reporting

ELM Enterprise Manager – Log Licenses include both the Event File Collector and the Event Collector. While their names are similar, their functions are very different. For Windows log file archiving, the Event File Collector copies and securely stores the Window log files (.evtx). Alternately, the Event Collector supports real-time event log monitoring, alerting and reporting.

Using the Event Collector, local Agents monitor the logs for new events. Immediately after a event is written, they are assembled, encrypted and transferred to the central ELM Server. From there, they are inserted into an Microsoft SQL Server database, In parallel, the events are evaluated against Event Filters used to populate the Event Views and trigger an alert. These Views can also be configured to mine events from the Primary Database.

With the events reliably stored in the database, the reporting engine can be used to build reports and deliver them via email. Both pre-configured and customs report options are available. By storing the events in a database, reports can be scheduled, alerts triggered and diagnostic Event Views reviewed.

With the ELM Enterprise Manager-Log License, the authentic log files (.evtx) are archived in a file system and the event records are inserted into an MS SQL Server database. ELM takes two separate paths for validating and processing the Windows event logs.